US11855968B2ActiveUtilityA1

Methods and systems for deep learning based API traffic security

89
Assignee: PING IDENTITY CORPPriority: Oct 26, 2016Filed: Aug 4, 2022Granted: Dec 26, 2023
Est. expiryOct 26, 2036(~10.3 yrs left)· nominal 20-yr term from priority
H04L 63/0281G06F 21/55G06F 21/554G06F 21/6281G06N 20/00H04L 63/02H04L 63/04H04L 63/0807H04L 63/0876H04L 63/1425H04L 63/1458H04L 63/1491
89
PatentIndex Score
1
Cited by
208
References
18
Claims

Abstract

The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for deep learning based API traffic analysis and network security. The invention provides an automated approach to threat and/or attack detection by machine learning based accumulation and/or interpretation of various API/application traffic patterns, identifying and mapping characteristics of normal traffic for each API, and thereafter identifying any deviations from the normal traffic parameter baselines, which deviations may be classified as anomalies or attacks.

Claims

exact text as granted — not AI-modified
We claim: 
     
       1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to:
 receive an event trigger to analyze traffic parameter data associated with network traffic of an Application Programming Interface (API); 
 identify the API as associated with an API class from a plurality of API classes; 
 identify, in response to the event trigger, an anomaly detection model from a plurality of anomaly detection models and associated with the API class, each anomaly detection model from the plurality of anomaly detection models being associated with a different API class from the plurality of API classes; 
 analyze, using the anomaly detection model and in response to the event trigger, the traffic parameter data to identify deviations between the traffic parameter data and a traffic parameter baseline value associated with the API; and 
 restrict network traffic associated with the API when the deviations meet a criterion. 
 
     
     
       2. The non-transitory processor-readable medium of  claim 1 , wherein the event trigger is based on at least one of receiving a data request, receiving a data message, a periodic time event trigger or an instruction for initiating analysis. 
     
     
       3. The non-transitory processor-readable medium of  claim 1 , wherein the traffic parameter baseline value is based on a current time. 
     
     
       4. The non-transitory processor-readable medium of  claim 1 , wherein the traffic parameter baseline value is based on at least one of geolocation of a source of the network traffic, a datacenter associated with the network traffic, a device type associated with the network traffic, an application associated with the network traffic, an amount of the network traffic, or a payload type of the network traffic. 
     
     
       5. The non-transitory processor-readable medium of  claim 1 , wherein the traffic parameter baseline value is based on network traffic received from a plurality of sources. 
     
     
       6. The non-transitory processor-readable medium of  claim 1 , wherein the API is from a plurality of APIs, each API from the plurality of APIs associated with an anomaly detection model from the plurality of anomaly detection models. 
     
     
       7. The non-transitory processor-readable medium of  claim 1 , wherein the API is from a plurality of APIs and the receiving is at an API gateway configured to receive network traffic addressed to the plurality of APIs. 
     
     
       8. A method, comprising:
 receiving a data packet addressed to an Application Programming Interface (API); 
 identifying the API as associated with an API class from a plurality of API classes; 
 identifying, in response to receiving the data packet, an anomaly detection model from a plurality of anomaly detection models and associated with the API class, each anomaly detection model from the plurality of anomaly detection models being associated with a different API class from the plurality of API classes; 
 analyzing, using the anomaly detection model, traffic parameter data associated with the data packet to identify deviations between the traffic parameter data and a traffic parameter baseline associated with the API; and 
 classifying the data packet as an anomaly when the deviations meet a criterion. 
 
     
     
       9. The method of  claim 8 , wherein the API is from a plurality of APIs and the receiving is at an API gateway configured to receive network traffic addressed to the plurality of APIs. 
     
     
       10. The method of  claim 8 , further comprising:
 discarding the data packet based on classifying the data packet as an anomaly. 
 
     
     
       11. The method of  claim 8 , further comprising:
 restricting network traffic associated with the API based on classifying the data packet as an anomaly. 
 
     
     
       12. The method of  claim 8 , wherein the API is from a plurality of APIs associated with an API class, the identifying the anomaly detection model including identifying the anomaly detection model based on the API class. 
     
     
       13. The method of  claim 8 , wherein the receiving the data packet is at a time, the traffic parameter baseline is based on the time. 
     
     
       14. The method of  claim 8 , wherein the traffic parameter baseline is based on at least one of geolocation of a source of the data packet, a datacenter associated with the data packet, a device type associated with the data packet, an application associated with the data packet, an amount of network traffic addressed to the API, or a payload type of the data packet. 
     
     
       15. An apparatus, comprising:
 a memory; and 
 a processor of a network gateway associated with a plurality of Application Programming Interfaces (APIs), the processor operatively coupled to the memory, the processor configured to:
 receive an event trigger to analyze traffic parameter data associated with network traffic of an API from the plurality of APIs; 
 identify the API as associated with an API class from a plurality of API classes; 
 identify, in response to the event trigger, an anomaly detection model from a plurality of anomaly detection models and associated with the API class, each anomaly detection model from the plurality of anomaly detection models being associated with a different API class from the plurality of API classes; 
 analyze, using the anomaly detection model associated with the API class and in response to the event trigger, the traffic parameter data to identify deviations between the traffic parameter data and a traffic parameter baseline value associated with the API; and 
 restrict network traffic associated with the API when the deviations meet a criterion. 
 
 
     
     
       16. The apparatus of  claim 15 , wherein the event trigger is based on at least one of receiving a data request, receiving a data message, a periodic time event trigger or an instruction for initiating analysis. 
     
     
       17. The apparatus of  claim 15 , wherein the traffic parameter baseline value is based on a time associated with the network traffic. 
     
     
       18. The apparatus of  claim 15 , wherein the traffic parameter baseline value is based on at least one of geolocation of a source of the network traffic, a datacenter associated with the network traffic, a device type associated with the network traffic, an application associated with the network traffic, an amount of the network traffic, or a payload type of the network traffic.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.